Merge branch '3078-make-token-secretstr' into develop

Issue #3078
PR #3211

Author: mssalvatore

monkey/common/types/__init__.py

@@ -5,4 +5,4 @@
 from .networking import NetworkService, NetworkPort, PortStatus, SocketAddress, NetworkProtocol
 from .plugin_types import PluginName
 from .plugin_types import PluginVersion
-from .otp import OTP
+from .secrets import OTP, Token

monkey/common/types/otp.py monkey/common/types/secrets.py

@@ -3,3 +3,4 @@
 from pydantic import SecretStr
 
 OTP: TypeAlias = SecretStr
+Token: TypeAlias = SecretStr

monkey/monkey_island/cc/services/authentication_service/authentication_facade.py

@@ -5,7 +5,7 @@
 
 from flask_security import UserDatastore
 
-from common.types import OTP
+from common.types import OTP, Token
 from common.utils.code_utils import secure_generate_random_string
 from monkey_island.cc.event_queue import IIslandEventQueue, IslandEventTopic
 from monkey_island.cc.models import IslandMode
@@ -14,7 +14,6 @@
 
 from . import AccountRole
 from .i_otp_repository import IOTPRepository
-from .types import Token
 from .user import User
 
 OTP_EXPIRATION_TIME = 2 * 60  # 2 minutes
@@ -104,7 +103,7 @@ def refresh_user_token(self, user: User) -> Tuple[Token, int]:
         """
         self.revoke_all_tokens_for_user(user)
 
-        return str(user.get_auth_token()), self._token_ttl_sec
+        return Token(user.get_auth_token()), self._token_ttl_sec
 
     def authorize_otp(self, otp: OTP) -> bool:
         # SECURITY: This method must not run concurrently, otherwise there could be TOCTOU errors,

monkey/monkey_island/cc/services/authentication_service/flask_resources/refresh_authentication_token.py

@@ -34,7 +34,7 @@ def post(self):
             response = {
                 "response": {
                     "user": {
-                        ACCESS_TOKEN_KEY_NAME: new_token,
+                        ACCESS_TOKEN_KEY_NAME: new_token.get_secret_value(),
                         TOKEN_TTL_KEY_NAME: token_ttl_sec,
                     }
                 }

monkey/monkey_island/cc/services/authentication_service/types.py

@@ -3,16 +3,15 @@
 import pytest
 
 from common.common_consts.token_keys import ACCESS_TOKEN_KEY_NAME, TOKEN_TTL_KEY_NAME
+from common.types import Token
 from monkey_island.cc.services.authentication_service.authentication_facade import (
     AuthenticationFacade,
 )
 from monkey_island.cc.services.authentication_service.flask_resources.refresh_authentication_token import (  # noqa: E501
     RefreshAuthenticationToken,
 )
 
-REQUEST_AUTHENTICATION_TOKEN = "my_authentication_token"
-
-NEW_AUTHENTICATION_TOKEN = "new_authentication_token"
+NEW_AUTHENTICATION_TOKEN = Token("new_authentication_token")
 TOKEN_TTL_SEC = 123
 
 
@@ -37,7 +36,10 @@ def test_token__provides_refreshed_token(
     response = request_token()
 
     assert response.status_code == HTTPStatus.OK
-    assert response.json["response"]["user"][ACCESS_TOKEN_KEY_NAME] == NEW_AUTHENTICATION_TOKEN
+    assert (
+        response.json["response"]["user"][ACCESS_TOKEN_KEY_NAME]
+        == NEW_AUTHENTICATION_TOKEN.get_secret_value()
+    )
     assert response.json["response"]["user"][TOKEN_TTL_KEY_NAME] == TOKEN_TTL_SEC
 
 

monkey/tests/unit_tests/monkey_island/cc/services/authentication_service/flask_resources/test_refresh_authentication_token.py

@@ -133,12 +133,12 @@ def reset_uniquifier(user: User):
     mock_user_datastore.set_uniquifier.side_effect = reset_uniquifier
     user = User(username=USERNAME, password=PASSWORD, fs_uniquifier="a")
 
-    original_access_token = user.get_auth_token()
+    original_access_token = str(user.get_auth_token())
     new_access_token, token_ttl_sec = authentication_facade.refresh_user_token(user)
 
     mock_user_datastore.set_uniquifier.assert_called_once()
     assert mock_user_datastore.set_uniquifier.call_args[0][0].username == user.username
-    assert new_access_token != original_access_token
+    assert new_access_token.get_secret_value() != original_access_token
     assert token_ttl_sec == TOKEN_TTL_SEC